You are previewing IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS.
O'Reilly logo
IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS

Book Description

Create and manage highly-secure Ipsec VPNs with IKEv2 and Cisco FlexVPN

The IKEv2 protocol significantly improves VPN security, and Cisco’s FlexVPN offers a unified paradigm and command line interface for taking full advantage of it. Simple and modular, FlexVPN relies extensively on tunnel interfaces while maximizing compatibility with legacy VPNs. Now, two Cisco network security experts offer a complete, easy-tounderstand, and practical introduction to IKEv2, modern IPsec VPNs, and FlexVPN.

The authors explain each key concept, and then guide you through all facets of FlexVPN planning, deployment, migration, configuration, administration, troubleshooting, and optimization. You’ll discover how IKEv2 improves on IKEv1, master key IKEv2 features, and learn how to apply them with Cisco FlexVPN.

IKEv2 IPsec Virtual Private Networks offers practical design examples for many common scenarios, addressing IPv4 and IPv6, servers, clients, NAT, pre-shared keys, resiliency, overhead, and more. If you’re a network engineer, architect, security specialist, or VPN administrator, you’ll find all the knowledge you need to protect your organization with IKEv2 and FlexVPN.

  • Understand IKEv2 improvements: anti-DDoS cookies, configuration payloads, acknowledged responses, and more

  • Implement modern secure VPNs with Cisco IOS and IOS-XE

  • Plan and deploy IKEv2 in diverse real-world environments

  • Configure IKEv2 proposals, policies, profiles, keyrings, and authorization

  • Use advanced IKEv2 features, including SGT transportation and IKEv2 fragmentation

  • Understand FlexVPN, its tunnel interface types, and IOS AAA infrastructure

  • Implement FlexVPN Server with EAP authentication, pre-shared keys, and digital signatures

  • Deploy, configure, and customize FlexVPN clients

  • Configure, manage, and troubleshoot the FlexVPN Load Balancer

  • Improve FlexVPN resiliency with dynamic tunnel source, backup peers, and backup tunnels

  • Monitor IPsec VPNs with AAA, SNMP, and Syslog

  • Troubleshoot connectivity, tunnel creation, authentication, authorization, data encapsulation, data encryption, and overlay routing

  • Calculate IPsec overhead and fragmentation

  • Plan your IKEv2 migration: hardware, VPN technologies, routing, restrictions, capacity, PKI, authentication, availability, and more

  • Table of Contents

    1. About This E-Book
    2. Title Page
    3. Copyright Page
    4. About the Authors
    5. Note from the Authors
    6. About the Technical Reviewers
    7. Dedications
    8. Acknowledgments
    9. Contents at a Glance
    10. Contents
    11. Foreword
    12. Icons Used in This Book
    13. Command Syntax Conventions
    14. Introduction
      1. Goals and Methods
      2. Who Should Read This Book?
      3. How this book is organized
      4. Chapter 1 Introduction to IPsec VPNs
      5. Chapter 2 IKEv2 the Protocol
      6. Chapter 3 Comparison of IKEv1 and IKEv2
      7. Chapter 4 IOS IPsec implementation
      8. Chapter 5 IKEv2 Configuration
      9. Chapter 6 Advanced IKEv2 features
      10. Chapter 7 IKEv2 deployments
      11. Chapter 8 Introduction to FlexVPN
      12. Chapter 9 FlexVPN Server
      13. Chapter 10 FlexVPN Client
      14. Chapter 11 FlexVPN Load Balancer
      15. Chapter 12 FlexVPN Deployments
      16. Chapter 13 Monitoring IPsec VPNs
      17. Chapter 14 Troubleshooting IPsec VPNs
      18. Chapter 15 IPsec overhead and Fragmentation
      19. Chapter 16 Migration Strategies
    15. Part I: Understanding IPsec VPNs
      1. Chapter 1. Introduction to IPsec VPNs
        1. The Need and Purpose of IPsec VPNs
        2. Building Blocks of IPsec
          1. Security Protocols
          2. Security Associations
          3. Key Management Protocol
        3. IPsec Security Services
          1. Access Control
          2. Anti-replay Services
          3. Confidentiality
          4. Connectionless Integrity
          5. Data Origin Authentication
          6. Traffic Flow Confidentiality
        4. Components of IPsec
          1. Security Parameter Index
          2. Security Policy Database
          3. Security Association Database
          4. Peer Authorization Database
          5. Lifetime
        5. Cryptography Used in IPsec VPNs
          1. Symmetric Cryptography
          2. Asymmetric Cryptography
          3. The Diffie-Hellman Exchange
        6. Public Key Infrastructure
          1. Public Key Cryptography
          2. Certificate Authorities
          3. Digital Certificates
          4. Digital Signatures Used in IKEv2
        7. Pre-Shared-Keys, or Shared Secret
        8. Encryption and Authentication
          1. IP Authentication Header
          2. IP Encapsulating Security Payload (ESP)
          3. Encapsulating Security Payload Version 3
        9. Modes of IPsec
          1. IPsec Transport Mode
          2. IPsec Tunnel Mode
        10. Summary
        11. References
    16. Part II: Understanding IKEv2
      1. Chapter 2. IKEv2: The Protocol
        1. IKEv2 Overview
        2. The IKEv2 Exchange
        3. IKE_SA_INIT
          1. Diffie-Hellman Key Exchange
          2. Security Association Proposals
          3. Security Parameter Index (SPI)
          4. Nonce
          5. Cookie Notification
          6. Certificate Request
          7. HTTP_CERT_LOOKUP_SUPPORTED
        4. Key Material Generation
        5. IKE_AUTH
          1. Encrypted and Authenticated Payload
          2. Encrypted Payload Structure
          3. Identity
          4. Authentication
          5. Traffic Selectors
          6. Initial Contact
        6. CREATE_CHILD_SA
          1. IPsec Security Association Creation
          2. IPsec Security Association Rekey
          3. IKEv2 Security Association Rekey
        7. IKEv2 Packet Structure Overview
        8. The INFORMATIONAL Exchange
          1. Notification
          2. Deleting Security Associations
          3. Configuration Payload Exchange
          4. Dead Peer Detection/Keepalive/NAT Keepalive
          5. IKEv2 Request – Response
        9. IKEv2 and Network Address Translation
          1. NAT Detection
        10. Additions to RFC 7296
          1. RFC 5998 An Extension for EAP-Only Authentication in IKEv2
          2. RFC 5685 Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)
          3. RFC 6989 Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
          4. RFC 6023 A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)
        11. Summary
        12. References
      2. Chapter 3. Comparison of IKEv1 and IKEv2
        1. Brief History of IKEv1
        2. Exchange Modes
          1. IKEv1
          2. IKEv2
        3. Anti-Denial of Service
        4. Lifetime
        5. Authentication
        6. High Availability
        7. Traffic Selectors
        8. Use of Identities
        9. Network Address Translation
        10. Configuration Payload
        11. Mobility & Multi-homing
        12. Matching on Identity
        13. Reliability
        14. Cryptographic Exchange Bloat
        15. Combined Mode Ciphers
        16. Continuous Channel Mode
        17. Summary
        18. References
    17. Part III: IPsec VPNs on Cisco IOS
      1. Chapter 4. IOS IPsec Implementation
        1. Modes of Encapsulation
          1. GRE Encapsulation
          2. GRE over IPsec
          3. IPsec Transport Mode with GRE over IPsec
          4. IPsec Tunnel mode with GRE over IPsec
          5. Traffic
        2. The Demise of Crypto Maps
        3. Interface Types
          1. Virtual Interfaces: VTI and GRE/IPsec
          2. Traffic Selection by Routing
          3. Static Tunnel Interfaces
          4. Dynamic Tunnel Interfaces
          5. sVTI and dVTI
          6. Multipoint GRE
        4. Tunnel Protection and Crypto Sockets
        5. Implementation Modes
          1. Dual Stack
          2. Mixed Mode
          3. Auto Tunnel Mode
        6. VRF-Aware IPsec
          1. VRF in Brief
          2. VRF-Aware GRE and VRF-Aware IPsec
          3. VRF-Aware GRE over IPsec
        7. Summary
        8. Reference
    18. Part IV: IKEv2 Implementation
      1. Chapter 5. IKEv2 Configuration
        1. IKEv2 Configuration Overview
          1. The Guiding Principle
          2. Scope of IKEv2 Configuration
          3. IKEv2 Configuration Constructs
        2. IKEv2 Proposal
          1. Configuring the IKEv2 Proposal
          2. Configuring IKEv2 Encryption
          3. Configuring IKEv2 Integrity
          4. Configuring IKEv2 Diffie-Hellman
          5. Configuring IKEv2 Pseudorandom Function
          6. Default IKEv2 Proposal
        3. IKEv2 Policy
          1. Configuring an IKEv2 Policy
          2. Default IKEv2 Policy
          3. IKEv2 Policy Selection on the Initiator
          4. IKEv2 Policy Selection on Responder
          5. IKEv2 Policy Configuration Examples
        4. IKEv2 Keyring
          1. Configuring IKEv2 Keyring
          2. Key Lookup on Initiator
          3. Key Lookup on Responder
          4. IKEv2 Keyring Configuration Example
          5. IKEv2 Keyring Key Points
        5. IKEv2 Profile
          1. IKEv2 Profile as Peer Authorization Database
          2. Configuring IKEv2 Profile
          3. IKEv2 Profile Selection on Initiator and Responder
          4. IKEv2 Profile Key Points
        6. IKEv2 Global Configuration
          1. HTTP URL-based Certificate Lookup
          2. IKEv2 Cookie Challenge
          3. IKEv2 Call Admission Control
          4. IKEv2 Window Size
          5. Dead Peer Detection
          6. NAT Keepalive
          7. IKEv2 Diagnostics
        7. PKI Configuration
          1. Certificate Authority
          2. Public-Private Key Pair
          3. PKI Trustpoint
          4. PKI Example
        8. IPsec Configuration
          1. IPsec Profile
          2. IPsec Configuration Example
        9. Smart Defaults
        10. Summary
      2. Chapter 6. Advanced IKEv2 Features
        1. Introduction to IKEv2 Fragmentation
          1. IP Fragmentation Overview
          2. IKEv2 and Fragmentation
        2. IKEv2 SGT Capability Negotiation
        3. IKEv2 Session Authentication
          1. IKEv2 Session Deletion on Certificate Revocation
          2. IKEv2 Session Deletion on Certificate Expiry
        4. IKEv2 Session Lifetime
        5. Summary
        6. References
      3. Chapter 7. IKEv2 Deployments
        1. Pre-shared-key Authentication with Smart Defaults
          1. Elliptic Curve Digital Signature Algorithm Authentication
          2. RSA Authentication Using HTTP URL Lookup
          3. IKEv2 Cookie Challenge and Call Admission Control
        2. Summary
    19. Part V: FlexVPN
      1. Chapter 8. Introduction to FlexVPN
        1. FlexVPN Overview
          1. The Rationale
          2. FlexVPN Value Proposition
        2. FlexVPN Building Blocks
          1. IKEv2
          2. Cisco IOS Point-to-Point Tunnel Interfaces
          3. Cisco IOS AAA Infrastructure
        3. IKEv2 Name Mangler
          1. Configuring IKEv2 Name Mangler
        4. IKEv2 Authorization Policy
          1. Default IKEv2 Authorization Policy
        5. FlexVPN Authorization
          1. Configuring FlexVPN Authorization
          2. FlexVPN User Authorization
          3. FlexVPN Group Authorization
          4. FlexVPN Implicit Authorization
          5. FlexVPN Authorization Types: Co-existence and Precedence
        6. FlexVPN Configuration Exchange
          1. Enabling Configuration Exchange
          2. FlexVPN Usage of Configuration Payloads
          3. Configuration Attributes and Authorization
          4. Configuration Exchange Examples
        7. FlexVPN Routing
          1. Learning Remote Subnets Locally
          2. Learning Remote Subnets from Peer
        8. Summary
      2. Chapter 9. FlexVPN Server
        1. Sequence of Events
        2. EAP Authentication
          1. EAP Methods
          2. EAP Message Flow
          3. EAP Identity
          4. EAP Timeout
          5. EAP Authentication Steps
          6. Configuring EAP
          7. EAP Configuration Example
        3. AAA-based Pre-shared Keys
          1. Configuring AAA-based Pre-Shared Keys
          2. RADIUS Attributes for AAA-Based Pre-Shared Keys
          3. AAA-Based Pre-Shared Keys Example
        4. Accounting
        5. Per-Session Interface
          1. Deriving Virtual-Access Configuration from a Virtual Template
          2. Deriving Virtual-Access Configuration from AAA Authorization
          3. Deriving Virtual-Access Configuration from an Incoming Session
          4. Virtual-Access Cloning Example
        6. Auto Detection of Tunnel Transport and Encapsulation
        7. RADIUS Packet of Disconnect
          1. Configuring RADIUS Packet of Disconnect
          2. RADIUS Packet of Disconnect Example
        8. RADIUS Change of Authorization (CoA)
          1. Configuring RADIUS CoA
          2. RADIUS CoA Examples
        9. IKEv2 Auto-Reconnect
          1. Auto-Reconnect Configuration Attributes
          2. Smart DPD
          3. Configuring IKEv2 Auto-Reconnect
        10. User Authentication, Using AnyConnect-EAP
          1. AnyConnect-EAP
          2. Configuring User Authentication, Using AnyConnect-EAP
          3. AnyConnect Configuration for Aggregate Authentication
        11. Dual-factor Authentication, Using AnyConnect-EAP
          1. AnyConnect-EAP XML Messages for dual-factor authentication
          2. Configuring Dual-factor Authentication, Using AnyConnect-EAP
        12. RADIUS Attributes Supported by the FlexVPN Server
        13. Remote Access Clients Supported by FlexVPN Server
          1. FlexVPN Remote Access Client
          2. Microsoft Windows7 IKEv2 Client
          3. Cisco IKEv2 AnyConnect Client
        14. Summary
        15. Reference
      3. Chapter 10. FlexVPN Client
        1. Introduction
        2. FlexVPN Client Overview
          1. FlexVPN Client Building Blocks
          2. FlexVPN Client Features
        3. Setting up the FlexVPN Server
        4. EAP Authentication
        5. Split-DNS
          1. Components of Split-DNS
        6. Windows Internet Naming Service (WINS)
        7. Domain Name
        8. FlexVPN Client Profile
        9. Backup Gateways
          1. Resolution of Fully Qualified Domain Names
          2. Reactivating Peers
          3. Backup Gateway List
        10. Tunnel Interface
          1. Tunnel Source
          2. Tunnel Destination
        11. Tunnel Initiation
          1. Automatic Mode
          2. Manual Mode
          3. Track Mode
        12. Dial Backup
        13. Backup Group
        14. Network Address Translation
        15. Design Considerations
          1. Use of Public Key Infrastructure and Pre-Shared Keys
          2. The Power of Tracking
        16. Troubleshooting FlexVPN Client
          1. Useful Show Commands
          2. Debugging FlexVPN Client
          3. Clearing IKEv2 FlexVPN Client Sessions
        17. Summary
      4. Chapter 11. FlexVPN Load Balancer
        1. Introduction
        2. Components of the FlexVPN Load Balancer
          1. IKEv2 Redirect
          2. Hot Standby Routing Protocol
        3. FlexVPN IKEv2 Load Balancer
          1. Cluster Load
          2. IKEv2 Redirect
          3. Redirect Loops
        4. FlexVPN Client
        5. Troubleshooting IKEv2 Load Balancing
        6. IKEv2 Load Balancer Example
        7. Summary
      5. Chapter 12. FlexVPN Deployments
        1. Introduction
        2. FlexVPN AAA-Based Pre-Shared Keys
          1. Configuration on the Branch-1 Router
          2. Configuration on the Branch-2 Router
          3. Configuration on the Hub Router
          4. Configuration on the RADIUS Server
        3. FlexVPN User and Group Authorization
          1. FlexVPN Client Configuration at Branch 1
          2. FlexVPN Client Configuration at Branch 2
          3. Configuration on the FlexVPN Server
          4. Configuration on the RADIUS Server
          5. Logs Specific to FlexVPN Client-1
          6. Logs Specific to FlexVPN Client-2
        4. FlexVPN Routing, Dual Stack, and Tunnel Mode Auto
          1. FlexVPN Spoke Configuration at Branch-1
          2. FlexVPN Spoke Configuration at Branch-2
          3. FlexVPN Hub Configuration at the HQ
          4. Verification on FlexVPN Spoke at Branch-1
          5. Verification on FlexVPN Spoke at Branch-2
          6. Verification on the FlexVPN Hub at HQ
        5. FlexVPN Client NAT to the Server-Assigned IP Address
          1. Configuration on the FlexVPN Client
          2. Verification on the FlexVPN Client
        6. FlexVPN WAN Resiliency, Using Dynamic Tunnel Source
          1. FlexVPN Client Configuration on the Dual-Homed Branch Router
          2. Verification on the FlexVPN Client
        7. FlexVPN Hub Resiliency, Using Backup Peers
          1. FlexVPN Client Configuration on the Branch Router
          2. Verification on the FlexVPN Client
        8. FlexVPN Backup Tunnel, Using Track-Based Tunnel Activation
          1. Verification on the FlexVPN Client
        9. Summary
    20. Part VI: IPsec VPN Maintenance
      1. Chapter 13. Monitoring IPsec VPNs
        1. Introduction to Monitoring
          1. Authentication, Authorization, and Accounting (AAA)
          2. NetFlow
          3. Simple Network Management Protocol
          4. Syslog
        2. Monitoring Methodology
          1. IP Connectivity
          2. VPN Tunnel Establishment
          3. Pre-Shared Key Authentication
          4. PKI Authentication
          5. EAP Authentication
          6. Authorization Using RADIUS-Based AAA
          7. Data Encryption: SNMP with IPsec
          8. Overlay Routing
          9. Data Usage
        3. Summary
        4. References
      2. Chapter 14. Troubleshooting IPsec VPNs
        1. Introduction
        2. Tools of Troubleshooting
          1. Show Commands
          2. Syslog Messages
          3. Event-Trace Monitoring
          4. Debugging
          5. Key Management Interface Debugging
          6. PKI Debugging
          7. Conditional Debugging
        3. IP Connectivity
        4. VPN Tunnel Establishment
          1. IKEv2 Diagnose Error
          2. Troubleshooting the IKE_SA_INIT Exchange
        5. Authentication
          1. Troubleshooting RSA or ECDSA Authentication
          2. Certificate Attributes
          3. Debugging Authentication Using PKI
          4. Certificate Expiry
          5. Matching Peer Using Certificate Maps
          6. Certificate Revocation
          7. Trustpoint Configuration
          8. Trustpoint Selection
          9. Pre-Shared Key
          10. Extensible Authentication Protocol (EAP)
        6. Authorization
        7. Data Encryption
          1. Debugging IPsec
          2. IPsec Anti-Replay
        8. Data Encapsulation
          1. Mismatching GRE Tunnel Keys
        9. Overlay Routing
          1. Static Routing
          2. IKEv2 Routing
          3. Dynamic Routing Protocols
        10. Summary
        11. References
    21. Part VII: IPsec Overhead
      1. Chapter 15. IPsec Overhead and Fragmentation
        1. Introduction
        2. Computing the IPsec Overhead
          1. General Considerations
          2. IPsec Mode Overhead (without GRE)
          3. GRE Overhead
          4. Encapsulating Security Payload Overhead
          5. Authentication Header Overhead
          6. Encryption Overhead
          7. Integrity Overhead
          8. Combined-mode Algorithm Overhead
          9. Plaintext MTU
          10. Maximum Overhead
        3. IPsec and Fragmentation
          1. Maximum Transmission Unit
          2. Fragmentation in IPv4
          3. Fragmentation in IPv6
          4. Path MTU Discovery
          5. TCP MSS Clamping
          6. IPsec Fragmentation and PMTUD
          7. Fragmentation on Tunnels
          8. The Impact of Fragmentation
        4. Summary
        5. References
    22. Part VIII: Migration to IKEv2
      1. Chapter 16. Migration Strategies
        1. Introduction to Migrating to IKEv2 and FlexVPN
        2. Consideration when Migrating to IKEv2
          1. Hardware Limitations
          2. Current VPN Technology
          3. Routing Protocol Selection
          4. Restrictions When Running IKEv1 and IKEv2 Simultaneously
          5. Current Capacity
          6. IP Addresses
          7. Software
          8. Amending the VPN Gateway
          9. Global IKE and IPsec Commands
          10. FlexVPN Features
          11. Familiarization
          12. Client Awareness
          13. Public Key Infrastructure
          14. Internet Protocol Version 6
          15. Authentication
          16. High Availability
          17. Asymmetric Routing
        3. Migration Strategies
          1. Hard Migration
          2. Soft Migration
        4. Migration Verification
        5. Consideration for Topologies
          1. Site-to-Site
          2. Hub and Spoke
          3. Remote Access
        6. Summary
    23. Index
    24. Inside Front Cover
    25. Inside Back Cover
    26. Code Snippets